ipsec server on debian
hello
first of all, I have performed a (short) search on the forum, but I could't find what I was looking for I am trying to configure a security gateway on a debian # uname -a Linux ipsec01 2.6.22-2-686 #1 SMP Fri Aug 31 00:24:01 UTC 2007 i686 GNU/Linux basically, this setup should know ipsec transport and tunneling on ipv4 and ipv6, to automatically negociate security association, based both on pre-shared keys and on digital certificated, to crypt and authenticate traffic the main features I am interested in are the ike v2 and isakmp logging the tunneling will be done versus a cisco 6500 I have tried to create a transport mode config with ipsec-tools and racoon, I can start both daemons (running /etc/init.d/ipsec start and /etc/init.f/racoon start I don't have any error messages), but when I ping the cisco from debian and viceversa, I can't see any negociation, only plain messages ipsec-tools.conf file: #!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; ## Some sample SPDs for use racoon spdadd 26.0.0.254 26.0.0.250 any -P out ipsec esp/transport/require; spdadd 26.0.0.250 26.0.0.254 any -P in ipsec esp/transport/require; #add 26.0.0.250 26.0.0.254 esp 15701 -E des-cbc "cheie" #add 26.0.0.254 26.0.0.250 esp 24501 -E des-cbc "cheie" racoon.conf file: # NOTE: This file will not be used if you use racoon-tool(8) to manage your # IPsec connections. racoon-tool will process racoon-tool.conf(5) and # generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead # of this file. # # Simple racoon.conf # # # Please look in /usr/share/doc/racoon/examples for # examples that come with the source. # # Please read racoon.conf(5) for details, and alsoread setkey(8). # # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # #RACOON_OPTS="-4 -l /var/log/racoon.log" #RACOON_CONF="/etc/racoon/racoon.conf" #RACOON_PSK_FILE="/etc/racoon/psk.txt" #SETKEY_CONF="/etc/ipsec-tools.conf" #RACOON_RESET_TABLES="true" path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } listen { isakmp 26.0.0.254[10]; #admin[7002]; #strict_address; } timer { counter 5; interval 20 sec; persend 1; #cat astept pt. fiecare faza phase1 90 sec; phase2 90 sec; } # this is the debian peer remote anonymous { exchange_mode aggressive,main; my_identifier address "26.0.0.254"; # doi ipsec_doi; situation identity_only; initial_contact on; proposal_check obey; proposal { encryption_algorithm des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 3600 sec; } iptables allows all traffic: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination when I ping the cisco from the debian, this is what I have in the /var/log/syslog file: Nov 22 20:06:18 ipsec01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: giving up on message 0x828ccc0, exchange ISAKMP-peer-west Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: either this message did not reach the other peer Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: or the responsemessage did not reach us back cisco config looks like this: crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cheie address 20.0.0.254 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set IL esp-des esp-md5-hmac ! crypto map IL 10 ipsec-isakmp set peer 20.0.0.254 set transform-set IL match address 100 and it is put on an interface interface FastEthernet5/0 ip address 26.0.0.250 255.255.0.0 duplex auto speed auto crypto map IL no shut I have used online tutorials, but I do some wrong, obviously could you please help me out with this? thanks a lot |
All times are GMT -5. The time now is 10:26 PM. |